CVE Vulnerabilities

CVE-2015-3405

Insufficient Entropy

Published: Aug 09, 2017 | Modified: Feb 13, 2023
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
4 LOW
AV:N/AC:H/Au:N/C:P/I:P/A:N
RedHat/V3
Ubuntu
MEDIUM

ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys.

Weakness

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Affected Software

Name Vendor Start Version End Version
Ntp Ntp 4.2.8-p1 (including) 4.2.8-p1 (including)
Ntp Ntp 4.2.8-p2 (including) 4.2.8-p2 (including)
Ntp Ntp 4.2.8-p2-rc1 (including) 4.2.8-p2-rc1 (including)
Ntp Ntp 4.3.0 (including) 4.3.0 (including)
Ntp Ntp 4.3.1 (including) 4.3.1 (including)
Ntp Ntp 4.3.2 (including) 4.3.2 (including)
Ntp Ntp 4.3.3 (including) 4.3.3 (including)
Ntp Ntp 4.3.4 (including) 4.3.4 (including)
Ntp Ntp 4.3.5 (including) 4.3.5 (including)
Ntp Ntp 4.3.6 (including) 4.3.6 (including)
Ntp Ntp 4.3.7 (including) 4.3.7 (including)
Ntp Ntp 4.3.8 (including) 4.3.8 (including)
Ntp Ntp 4.3.9 (including) 4.3.9 (including)
Ntp Ntp 4.3.10 (including) 4.3.10 (including)
Ntp Ntp 4.3.11 (including) 4.3.11 (including)
Red Hat Enterprise Linux 6 RedHat ntp-0:4.2.6p5-5.el6 *
Red Hat Enterprise Linux 7 RedHat ntp-0:4.2.6p5-22.el7 *
Ntp Ubuntu lucid *
Ntp Ubuntu precise *
Ntp Ubuntu trusty *
Ntp Ubuntu trusty/esm *
Ntp Ubuntu upstream *
Ntp Ubuntu utopic *
Ntp Ubuntu vivid *

Potential Mitigations

References